Step 6: Testing
How can we tell whether Appelbaum is actually able to glean the encryption key from the MacBook?
The answer is simple: an Apple utility called "hdiutil" can display the AES key for a FileVault volume as long as the passphrase is typed in first. If Appelbaum's able to find it on his own, he's discovered a way to bypass FileVault--at least when the computer is turned on or is in sleep mode.
To use hdiutil, I logged out of the Breakme account, meaning the FileVault volume would be automatically unmounted. Then I made a copy of the breakme.sparseimage file and extracted the AES key by running hdiutil and typing in the passphrase. The key turned out to be: dd6a242a3a90ee1f60a8c53db59a4133.
The length of the AES key in Mac OS X Tiger is 32 hexadecimal characters, or 128 bits. While FileVault in Mac OS X Leopard can use a 256-bit AES key, the extraction process would be the same.
Photo by Declan McCullagh/CNET News.com
